ClawHub
Back to skill
v0.1.0

Openclaw Auto Training Skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:55 AM.

Analysis

This self-training skill is transparent about its goal, but it lets an external AI judge trigger autonomous skill installs and persistent learning, so it needs careful review before use.

GuidanceInstall only if you are comfortable with an agent using your OpenRouter key, sending evaluation content to a third-party judge, writing persistent QA memory, and potentially installing new skills. Safer use would require manual approval and review before every suggested skill install or BotLearn post.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
Every step here is executed by you, autonomously... Else if skillSuggestion is set:
       - Run: clawhub install <skillSuggestion>

The skill tells the agent to perform a package/skill installation command autonomously when a suggestion is present, with no explicit approval or validation step.

User impactA low score could cause your agent to install new skills and change its behavior without you reviewing what will be installed.
RecommendationRequire explicit user approval before every install, display the proposed skill ID/source/permissions, and consider restricting installs to an allowlist.
Agentic Supply Chain Vulnerabilities
SeverityHighConfidenceHighStatusConcern
SKILL.md
"skillSuggestion": "<skill-id or null>" ... When `skillSuggestion` is set and score < threshold:

```bash
clawhub install <skillSuggestion>
```

An external LLM judge output becomes the install target for a new skill, but the artifact does not define provenance checks, pinning, trust rules, or a review process.

User impactA mistaken or manipulated judge response could lead to installation of an unintended or unsafe skill from the registry.
RecommendationValidate suggested skill IDs, pin trusted sources/versions, show skill metadata before installation, and avoid using unreviewed LLM output as a direct install target.
Cascading Failures
SeverityMediumConfidenceHighStatusConcern
SKILL.md
After install:
- Re-read the skill's README/SKILL.md to understand its capabilities
- On the next round, actively use the newly installed skill when answering

A single bad skill suggestion can immediately affect later rounds and future agent behavior because the new skill is read and used after installation.

User impactOne incorrect install decision can compound into later answers and agent behavior, rather than staying isolated to the current evaluation.
RecommendationAdd containment: dry-run installs, require confirmation before use, keep rollback instructions, and stop the evaluation after any new install until the user reviews it.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
`OPENROUTER_API_KEY` | — | Required for LLM judge ... If `OPENROUTER_API_KEY` is missing, read from `~/.config/openclaw/env` or `<WORKSPACE>/.env.local`.

The skill uses an API credential and reads local config/env files to obtain it; this is expected for the OpenRouter judge but is not declared in the registry requirements.

User impactThe agent may use your OpenRouter account/key for judging calls, which can incur cost or expose usage to that provider.
RecommendationUse a scoped/limited OpenRouter key, monitor usage, and ensure the registry metadata declares the required credential.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Scores each response with an LLM judge via OpenRouter ... Posts a summary to BotLearn if botlearn skill is installed

The skill discloses sending evaluation content to an external provider and potentially another skill/service, but the artifact does not detail data boundaries for those summaries.

User impactTask prompts, agent responses, feedback, or summaries may be visible to OpenRouter and possibly BotLearn.
RecommendationAvoid running it on confidential tasks unless you accept those data flows, and add an opt-in confirmation before posting summaries to BotLearn.
Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
SKILL.md
Logs results to `memory/qa-eval-YYYY-MM-DD.md` ... check `memory/qa-eval-*.md` for history

The skill writes evaluation results, judge feedback, installed skill lists, and knowledge gains to persistent memory that is later consulted for future runs.

User impactIncorrect judge feedback or sensitive evaluation details could persist and influence later self-evaluations.
RecommendationKeep logs free of secrets, review or prune QA memory periodically, and avoid treating stored judge feedback as authoritative without user review.